Skip to content

Commit

Permalink
invenio: better secret key and salts management
Browse files Browse the repository at this point in the history
* Adds missing salts to harden security.

* Deprecates plain keys and forces to use secrets for them.

* Automatically generates secret key and salts if no secret is provided.
  • Loading branch information
egabancho committed Dec 16, 2024
1 parent c6d4708 commit ba16db7
Show file tree
Hide file tree
Showing 8 changed files with 60 additions and 4 deletions.
18 changes: 18 additions & 0 deletions charts/invenio/templates/NOTES.txt
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,21 @@ DEPRECATION WARNING:
`invenio.sentry.existingSecret` will be removed in a future release.

{{- end }}

{{- if or .Values.invenio.secret_key .Values.invenio.security_login_salt .Values.invenio.csrf_secret_salt }}

DEPRECATION WARNING:
`invenio.secret_key`, `invenio.security_login_salt`, and `invenio.csrf_secret_salt`
have been deprecated and will be removed in future releases. Please use
`invenio.existingSecret` to set their values or let the chart generate random ones
for you.

{{- end }}

{{- if .Values.invenio.existing_secret}}

DEPRECATION WARNING:
`invenio.existing_secret` has been removed in favor of
`invenio.existingSecret` and it will be removed in a future release.

{{- end }}
11 changes: 11 additions & 0 deletions charts/invenio/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -299,3 +299,14 @@ Add sentry environmental variables
key: {{ .Values.invenio.sentry.secretKeys.dsnKey }}
{{- end }}
{{- end -}}
{{/*
Get the invenio general secret name
*/}}
{{- define "invenio.secretName" -}}
{{- if .Values.invenio.existingSecret -}}
{{- print (tpl .Values.invenio.sentry.existingSecret .) -}}
{{- else -}}
{{- "invenio-secretes" -}}
{{- end -}}
{{- end -}}
2 changes: 2 additions & 0 deletions charts/invenio/templates/install-init-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ spec:
envFrom:
- configMapRef:
name: invenio-config
- secretKeyRef:
name: {{ include "invenio.secretName" . }}
env:
- name: TZ
value: {{ required "Missing .Values.global.timezone" .Values.global.timezone }}
Expand Down
13 changes: 9 additions & 4 deletions charts/invenio/templates/secret.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if not (.Values.invenio.existing_secret) }}
{{- if or (not .Values.invenio.existing_secret) (not .Values.invenio.existingSecret) }}
---
apiVersion: v1
kind: Secret
Expand All @@ -11,7 +11,12 @@ metadata:
annotations:
helm.sh/resource-policy: keep
data:
INVENIO_SECRET_KEY: {{ required "Missing .Values.invenio.secret_key" .Values.invenio.secret_key | b64enc }}
INVENIO_SECURITY_LOGIN_SALT: {{ required ".Values.invenio.security_login_salt " .Values.invenio.security_login_salt | b64enc }}
INVENIO_CSRF_SECRET_SALT: {{ required ".Values.invenio.csrf_secret_salt " .Values.invenio.csrf_secret_salt | b64enc }}
INVENIO_SECRET_KEY: {{ randAlphaNum 128 | b64enc | quote }}
INVENIO_SECURITY_LOGIN_SALT: {{ randAlphaNum 128 | b64enc | quote }}
INVENIO_SECURITY_PASSWORD_SALT: {{ randAlphaNum 128 | b64enc | quote }}
INVENIO_SECURITY_CONFIRM_SALT: {{ randAlphaNum 128 | b64enc | quote }}
INVENIO_SECURITY_RESET_SALT: {{ randAlphaNum 128 | b64enc | quote }}
INVENIO_SECURITY_CHANGE_SALT: {{ randAlphaNum 128 | b64enc | quote }}
INVENIO_SECURITY_REMEMBER_SALT: {{ randAlphaNum 128 | b64enc | quote }}
INVENIO_CSRF_SECRET_SALT: {{ randAlphaNum 128 | b64enc | quote }}
{{- end -}}
2 changes: 2 additions & 0 deletions charts/invenio/templates/web-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ spec:
envFrom:
- configMapRef:
name: invenio-config
- secretKeyRef:
name: {{ include "invenio.secretName" . }}
env:
- name: TZ
value: {{ required "Missing .Values.global.timezone" .Values.global.timezone }}
Expand Down
2 changes: 2 additions & 0 deletions charts/invenio/templates/worker-beat-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ spec:
envFrom:
- configMapRef:
name: invenio-config
- secretKeyRef:
name: {{ include "invenio.secretName" . }}
env:
- name: TZ
value: {{ required "Missing .Values.global.timezone" .Values.global.timezone }}
Expand Down
2 changes: 2 additions & 0 deletions charts/invenio/templates/worker-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ spec:
envFrom:
- configMapRef:
name: invenio-config
- secretKeyRef:
name: {{ include "invenio.secretName" . }}
env:
- name: TZ
value: {{ required "Missing .Values.global.timezone" .Values.global.timezone }}
Expand Down
14 changes: 14 additions & 0 deletions charts/invenio/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,24 @@ ingress:

invenio:
hostname: ""
## @param invenio.secret_key DEPRECATED: this is automatically generated now, or set by custom secret using invenio.existingSecret
##
secret_key: ""
## @param invenio.security_login_salt DEPRECATED: this is automatically generated now, or set by custom secret using invenio.existingSecret
##
security_login_salt: ""
## @param invenio.csrf_secret_salt DEPRECATED: this is automatically generated now, or set by custom secret using invenio.existingSecret
##
csrf_secret_salt: ""
## @param invenio.existing_secret DEPRECATED: this is automatically generated now, or set by custom secret using invenio.existingSecret
##
existing_secret: false

## @param invenio.existingSecret General existing secret name for, at least, secret key and salts
## If not set a new secret will be generated automatically with random values
## ref: https://inveniordm.docs.cern.ch/customize/authentication/#security
##
existingSecret: ""
init: false
default_users: [] # Requires invenio.init=true
demo_data: false # Setting invenio.demo_data=true requires also setting default_users!
Expand Down

0 comments on commit ba16db7

Please sign in to comment.